Social engineering

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
-
'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricker the person getting attacked. In many cases, the attacked never know that they have been attacked.
+
'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.
 +
{| __TOC__
 +
  |}
 +
<br>
-
__NOTOC__
+
[[Image:Mitnick.jpg|thumb|300px|right|
 +
'''Kevin David Mitnick'''
 +
<br>''Born October 6, 1963''<br>
 +
Convicted of computer related crimes using social engineering.]]
-
[[Image:Mitnick.jpg]]
+
==What is Social Engineering?==
 +
Social Engineering is?
 +
*“the art and science of getting people to comply to your wishes” - Bernz.  
 +
*Attacks human side of information security
 +
*not mind control or coercion.
 +
*but rather “ticking” people
 +
**do what you want them to do
 +
**give you information that you might not have access to
 +
==Aspects of Social Engineering==
-
==Social engineering techniques and terms==
 
-
All social engineering techniques are based on specific attributes of human decision-making known as [[List of cognitive biases|cognitive biases]].<ref>CSEPS Course Workbook, unit 3</ref> These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:
 
-
In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.
 
-
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.
+
===Human===
 +
*Humans are  generally the weakest part of any security system
 +
**System admins, maintenance people, employees
 +
***all have access to the system
 +
***any one of them can jeopardize security if they are not careful
 +
***knowingly or unknowingly
 +
*All Social Engineering attacks have something in common
 +
**Take advantage of a human being’s trust
 +
*Need 2 things for a Social Engineering attack
 +
**A knowledge of the system being attacked
 +
***Lots of background work
 +
***Terminology
 +
***Names of people and places
 +
***Protocols being used
 +
***The ability to gain people’s trust
 +
===Hardware===
 +
==Notable Examples==
-
== External links ==
+
==Methods of Social Engineering==
 +
===By Phone===
 +
*Most common method
 +
*Call a company and imitate someone in a position of authority or relevance.
 +
**Supervisor, manager, system admin.
 +
***pretend they can’t log into the system
 +
***or that they need your login to troubleshoot
 +
*Help desks are most prone to this
 +
**used to helping people
 +
**trained to give out information and be friendly
 +
**want to move on to next call
 +
**minimally educated in security area
-
== References ==
+
===Online===
 +
*Many people use same password and login for internet sites
 +
**Using methods like Phishing can allow the Social Engineer to obtain lots of information about a person
 +
 
 +
===Persuasion===
 +
*The true strength of a Social Engineer
 +
*Gaining trust by
 +
**impersonation (identiy theft)
 +
**imitation (made up identity)
 +
*Uses psychological methods
 +
**Guilt
 +
**Tempting offers
 +
 
 +
===Dumpster Diving===
 +
*also known as trashing
 +
*looking through garbage for information
 +
*Many companies don’t implement any method of security for their garbage
 +
**user and password lists
 +
**Company directories
 +
**Event calendars
 +
**obsolete computers
 +
**printouts of source codes
 +
**The more a Social Engineer knows about:
 +
***a company
 +
***their protocols
 +
***terminology
 +
***the more likely he’ll be able to succeed.
 +
 
 +
===Reverse Social Engineering===
 +
*Pretend to be someone in a position of authority
 +
**employees will ask him for information
 +
*Most difficult method to pull off
 +
**requires lots of preparation
 +
**but can yield the most successful results
 +
 
 +
==Protection==
 +
*Security policies dealing with both physical and psychological elements
 +
**Standard physical security mechanisms
 +
***networks protection
 +
***good password protection
 +
***secure disposal of trash
 +
***standard security measures we’ve discussed in class
 +
**Education and training of employees
 +
***Making employees aware of Social Engineering
 +
***better recognize an attack
 +
***Authentication
 +
****Making sure the person they are speaking with is that person
 +
**Availability of ANY information
 +
***only give out information that’s need-to-know
 +
***Don’t give out confidential information
 +
 
 +
==Conclusion==
 +
*Social Engineering attacks are very difficult to protect against.
 +
*A system’s security is only as strong as the people who maintain it.
 +
*With proper training, a social Engineering attack can be made extremely difficult.
 +
*However, it can never been fully projected against.
 +
 
 +
==References==
 +
Bernz: “The complete Social Engineering FAQ!”
 +
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt
 +
 
 +
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001
 +
http://www.securityfocus.com/infocus/1527
 +
 
 +
“Social engineering (security)”, Wikipedia, November 19, 2007
 +
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)
 +
 
 +
“social engineering”, SearchSecurity, October 10, 2006
 +
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html
 +
 
 +
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001
 +
http://www.securityfocus.com/news/199
 +
 
 +
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006
 +
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html
 +
 
 +
“Social Engineering”, McGuill Network Communications Services, September 7, 2007
 +
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)

Revision as of 23:47, 30 November 2007

Social engineering is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.


Kevin David Mitnick
Born October 6, 1963
Convicted of computer related crimes using social engineering.

Contents

What is Social Engineering?

Social Engineering is?

  • “the art and science of getting people to comply to your wishes” - Bernz.
  • Attacks human side of information security
  • not mind control or coercion.
  • but rather “ticking” people
    • do what you want them to do
    • give you information that you might not have access to

Aspects of Social Engineering

Human

  • Humans are generally the weakest part of any security system
    • System admins, maintenance people, employees
      • all have access to the system
      • any one of them can jeopardize security if they are not careful
      • knowingly or unknowingly
  • All Social Engineering attacks have something in common
    • Take advantage of a human being’s trust
  • Need 2 things for a Social Engineering attack
    • A knowledge of the system being attacked
      • Lots of background work
      • Terminology
      • Names of people and places
      • Protocols being used
      • The ability to gain people’s trust

Hardware

Notable Examples

Methods of Social Engineering

By Phone

  • Most common method
  • Call a company and imitate someone in a position of authority or relevance.
    • Supervisor, manager, system admin.
      • pretend they can’t log into the system
      • or that they need your login to troubleshoot
  • Help desks are most prone to this
    • used to helping people
    • trained to give out information and be friendly
    • want to move on to next call
    • minimally educated in security area

Online

  • Many people use same password and login for internet sites
    • Using methods like Phishing can allow the Social Engineer to obtain lots of information about a person

Persuasion

  • The true strength of a Social Engineer
  • Gaining trust by
    • impersonation (identiy theft)
    • imitation (made up identity)
  • Uses psychological methods
    • Guilt
    • Tempting offers

Dumpster Diving

  • also known as trashing
  • looking through garbage for information
  • Many companies don’t implement any method of security for their garbage
    • user and password lists
    • Company directories
    • Event calendars
    • obsolete computers
    • printouts of source codes
    • The more a Social Engineer knows about:
      • a company
      • their protocols
      • terminology
      • the more likely he’ll be able to succeed.

Reverse Social Engineering

  • Pretend to be someone in a position of authority
    • employees will ask him for information
  • Most difficult method to pull off
    • requires lots of preparation
    • but can yield the most successful results

Protection

  • Security policies dealing with both physical and psychological elements
    • Standard physical security mechanisms
      • networks protection
      • good password protection
      • secure disposal of trash
      • standard security measures we’ve discussed in class
    • Education and training of employees
      • Making employees aware of Social Engineering
      • better recognize an attack
      • Authentication
        • Making sure the person they are speaking with is that person
    • Availability of ANY information
      • only give out information that’s need-to-know
      • Don’t give out confidential information

Conclusion

  • Social Engineering attacks are very difficult to protect against.
  • A system’s security is only as strong as the people who maintain it.
  • With proper training, a social Engineering attack can be made extremely difficult.
  • However, it can never been fully projected against.

References

Bernz: “The complete Social Engineering FAQ!” http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt

Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001 http://www.securityfocus.com/infocus/1527

“Social engineering (security)”, Wikipedia, November 19, 2007 http://en.wikipedia.org/wiki/Social_engineering_(computer_security)

“social engineering”, SearchSecurity, October 10, 2006 http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html

Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001 http://www.securityfocus.com/news/199

Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006 http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html

“Social Engineering”, McGuill Network Communications Services, September 7, 2007 http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/


--Shahinrs 07:36, 7 November 2007 (EST)

Retrieved from "http://wiki.cas.mcmaster.ca/index.php/Social_engineering"
Personal tools